Description:
Three vulnerabilities have been identified and exploited [0] in the
network monitoring and graphing frontend Cacti [1], versions up to
and including 0.8.6i. They can be exploited by malicious people to
bypass certain security restrictions, manipulate data and compromise
vulnerable systems.
First, the "cmd.php" script does not properly restrict access
to command line usage and is installed in a Web-accessible
location. Successful exploitation requires that the PHP variable
"register_argc_argv" is enabled, which is the default in the OpenPKG
"cacti" package.
Second, input passed in the URL to "cmd.php" is not properly
sanitised before being used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires again that the PHP variable
"register_argc_argv" is enabled, which is the default in the OpenPKG
"cacti" package.
Third, the results from the SQL queries passed by an attacker to
"cmd.php" are not properly sanitised before being used as shell
commands. This can be exploited to inject arbitrary shell commands,
too.
Corrected Distribution: Corrected Branch: Corrected Package:
OpenPKG Enterprise E1.0-SOLID cacti-0.8.6i-E1.0.1
OpenPKG Community 2-STABLE-20061018 cacti-0.8.6i-2.20070101
OpenPKG Community 2-STABLE cacti-0.8.6i-2.20070101
OpenPKG Community CURRENT cacti-0.8.6i-20070101
________________________________________________________________________
____
For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
________________________________________________________________________
____
Hash: SHA1
________________________________________________________________________
____
Publisher Name: OpenPKG GmbH
Publisher Home: http://openpkg.com/
Advisory Id (public): OpenPKG-SA-2007.001
Advisory Type: OpenPKG Security Advisory (SA)
Advisory Directory: http://openpkg.com/go/OpenPKG-SA
Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.001
Advisory Published: 2007-01-01 20:55 UTC
Issue Id (internal): OpenPKG-SI-20070101.01
Issue First Created: 2007-01-01
Issue Last Modified: 2007-01-01
Issue Revision: 09
________________________________________________________________________
____
Subject Name: Cacti
Subject Summary: Network Monitoring and Graphing Frontend
Subject Home: http://www.cacti.net/
Subject Versions: * <= 0.8.6i
Vulnerability Id: none
Vulnerability Scope: global (not OpenPKG specific)
Attack Feasibility: run-time
Attack Vector: remote network
Attack Impact: manipulation of data, arbitrary code execution
Description:
Three vulnerabilities have been identified and exploited [0] in the
network monitoring and graphing frontend Cacti [1], versions up to
and including 0.8.6i. They can be exploited by malicious people to
bypass certain security restrictions, manipulate data and compromise
vulnerable systems.
First, the "cmd.php" script does not properly restrict access
to command line usage and is installed in a Web-accessible
location. Successful exploitation requires that the PHP variable
"register_argc_argv" is enabled, which is the default in the OpenPKG
"cacti" package.
Second, input passed in the URL to "cmd.php" is not properly
sanitised before being used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires again that the PHP variable
"register_argc_argv" is enabled, which is the default in the OpenPKG
"cacti" package.
Third, the results from the SQL queries passed by an attacker to
"cmd.php" are not properly sanitised before being used as shell
commands. This can be exploited to inject arbitrary shell commands,
too.
References:
[0] http://www.milw0rm.com/exploits/3029
[1] http://www.cacti.net/
________________________________________________________________________
____
Primary Package Name: cacti
Primary Package Home: http://openpkg.org/go/package/cacti
Corrected Distribution: Corrected Branch: Corrected Package:
OpenPKG Enterprise E1.0-SOLID cacti-0.8.6i-E1.0.1
OpenPKG Community 2-STABLE-20061018 cacti-0.8.6i-2.20070101
OpenPKG Community 2-STABLE cacti-0.8.6i-2.20070101
OpenPKG Community CURRENT cacti-0.8.6i-20070101
________________________________________________________________________
____
For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
________________________________________________________________________
____
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>
iD4DBQFFmWcnZwQuyWG3rjQRAuxRAJQOgbiiUxvdzP49SwiSqOoairz1AJ4v/e0A
pMG5BaGeIVcKH7Dnh7PSUQ==
=QT1T
-----END PGP SIGNATURE-----
[ reply ]